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Abstract — In 2016, Akansha S. et al. proposed an upgraded user authentication protocol. According to the implemented 
cryptanalysis on their scheme, some vulnerabilities have been found in registration and authentication part. In registra-tion 
part, the gateway uses generated value as secrecy and sends it to sensor node, which doesn ’t have infor-mation about 
received secret value and cannot verify its identity. In authentication part, user is unable to check legiti-macy of received 
session key generated by sensor node. Mainly, the protocol has been implemented using only one way hash function, XOR 
and concatenation operations, which is not adequate to provide authentication and confidentiality. In this paper, we suggest 
ECC-based user authentication scheme for WSNs, which eliminates the drawbacks of the previous scheme. The protocol 
decreases the high cost public-key operations of the sensor node and substitutes them with symmetric -key based operations. 
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I. Introduction 

Nowadays, the Wireless Sensor Networks becomes a rich sphere of active research containing programming models, 
distributed algorithms, routing protocols, signal processing, system design, data management and security. For most of the 
WSN’s applications, security is a major concern. Therefore, the resource constraint and computational limitations compels 
security solutions in WSNs to be differ from standard networks [1]. Sensor nodes are limited in terms of con-suming power, 
energy levels and memory size. Thus, comparing with wired sensors, the nodes in WSNs have a vulnera-bility to various 
passive and active attacks. It makes security to be an essential factor for WSNs, where data integrity is the most important 
requirement. Authentication has three major classes based on the primary cryptographic methods such as asymmetric 
cryptography, symmetric cryptography and hybrid methods [2]. Initially, it was estimated that WSNs would compose only of 
equal sensor nodes. But nowadays we are discussing heterogeneous WSNs since sensor networks can be constructed with 
different kind of nodes, some of them equipped with better computational power comparing with others (e.g. gateway nodes) 

[3] . The main security requirements for WSNs are authentication, confidentiality, integrity, authorization, non-repudiation, 
availability and freshness. User identification can be performed using three factors such as physical attributes (for instance 
fingerprint, retinal pattern etc.), documents and credentials (like smart card, id card etc.), personal information or password 

[4] . 

In our work, we clearly show that Akansha S. et al.’s [5] user authentication scheme has some drawbacks, which does not 
provide resistance against some attacks and is not enough secure. Also, we demonstrate that their scheme can be made much 
efficient by using ECC and removing some unnecessary steps. To eliminate the weaknesses and improve previous work, we 
suggest ECC-based user authentication scheme for wireless sensor networks which is more secure as compared to previous 
work. 

The remainder of this paper is arranged as follows. Section 2 describes related works. Section 3 contains a brief review of 
Akansha et al.’s scheme. The weaknesses of Akansha et al.’s scheme are described in Section 4. In Section 5, some 
preliminaries and network model are reviewed. Section 6 represents our key agreement protocol. The security of the 
proposed protocol is discussed in Section 7. We provide our research conclusions in Section 8. 

II. Related Work 

In this section, we have analyzed some of the related schemes which are proposed in the literature. In 2006, Wong et al. [6] 
presented his lightweight authentication scheme. But, it has been discovered that their scheme has several weak-nesses 
against such attacks as forgery, replay and stolen-verifier attack. In 2009, Das et al. [7] improved Wong et al.’s scheme and 
proposed a two-factor secure authentication protocol for WSNs. Later Das et al.’s scheme was upgraded by some researchers. 
He et al. [8] proved that Das et al. protocol has some security pitfalls of impersonation attack since it doesn’t provide easy 
password update facility. They offered an improved two-factor hash function protocol, which requires just three message 
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exchanges for user authentication. Chen et al. [9] also highlighted that Das et al. pro-tocol is not provided by mutual 
authentication between the gateway and sensor node. In 2010, Khan and Alghathbar [10] offered some enhancements in Das 
et al.’s scheme. They used password’s hash value to get a high password security and pulled out a new idea of pre-shared 
keys between sensor nodes and the gateway. In 2011, Yeh et al. [11] mentioned that Chen et al.’s scheme doesn’t provide 
easy password update phase, has no resistance against insider attack and suggested an ECC-based user authentication 
scheme. 

In 2013 Shi et al. [12] presented a new user authentication protocol, which eliminates the vulnerability of Yeh et al.’s 
protocol and which is more efficient in terms of communication, security and computation cost. In 2014, Choi et al. [13] 
highlighted that Shi et al.’s scheme is sensitive to some security flaws such as stolen smart card attacks, sensor node energy 
exhausting attack and session key attack. Later, Anup K.M. et al. [4] pointed out several weaknesses in Choi et al.’s scheme. 
During the analysis, they discovered that the proposed scheme is vulnerable against stolen smart card attack, insecure to 
sensor node energy exhausting attack and doesn’t provide resistance against node capture attack. Afterward, Turkanovic et 
al. [3] suggested a scheme for mutual authentication, which was discovered as non-secure protocol with many issues by 
Akansha S. et al.’s. They mentioned that the proposed scheme is not secure against session key recovery attack, reply attack, 
impersonate attack and offline password guessing attack. 


III. Review of Akansha S. et al.’s Scheme 

In this section, we did a short review for the Akansha S. et al.’s user authentication protocol. Their scheme contains three 
entities: the user, the sensor node and the gateway. For Akansha S. et al.’s scheme, there are three phases: registration phase, 
login phase, authentication and password changing phase. 

Table 1 
Notations 


Symbol 

Definition 

Ui 

User 

sc 

Smart card 


jtk Sensor Node 

m 

i t k User’s identity 


jtk Sensor node’s identity 

PW, : 

t'tft User’s password 

PW,t 

jtk Sensor node’s password 

GW 

Gateway 

JW 

Secure password known only to 
Gateway Node 

^GW-U 

Gateway’s secret password key 
shared with the user U { 


Gateway’s secret password key 
shared with the sensor node j 

T 

Timestamp 

SK 

Separately computed session key 
with private information 
of both user and sensor node 

®, II. h(.) 

XOR, concatenation, 
lightweight one way hash 
function 


Initially, each user and sensor node has their own identities (ID if ID SJ ) and secret passwords (PW if PW s j). The gateway has 
both entities’ identity and password. From the beginning, gateway creates a random key K GW _ U and K GW _ S to establish 
secrecy with user and sensor node. 
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3.1 Registration Phase 

3.1.1 Registration between U t and GW 

The user U t computes P t = h(ji || h (PW i ')') with generated random number r t and sends message {Pi, ID^T^} to the GW, 
which checks the validity of timestamp |7 sl — T c \ < ||A T and computes: a t = h(K GW _u || ID{), b t = aj©/i(Pj || h(PW i ')'), 
c t = h(cLi || h(PWi) || ID t ). The GW personalizes SC with values { /i(. ), bi, c it ID t ] and sends through secure channel to U t , 
who computes an additional value d t = r;©/i(/D; || PW t ) and inputs value { /i(. ), bi, c it d if 7DJ into SC. 

3.1.2 Registration between GW and Sj 

The sensor node Sj computes P SJ - = h(ID SJ - || h (PW S j) ll t s2 ) and sends message {P SJ -, ID s j,T s2 } to the GW, which checks 
the validity of timestamp \T s2 — T c \ < 1 1 A T and checks a satisfaction of computed P SJ -* with P SJ -. If it satisfies the condition, 
then GW computes the next values using K GW \ fy = h(K GW _ s || ID s j), b S j = /? ; -©/i(7D s; - || h(PW S j)), c s j = || 

h(PW S j) || ID SJ - || T s3 ). The GW sends message { b S j,c SJ -,T s3 } through public channel toS,-, which verifies validity of 
received timestamp |T s3 — T c | < | |AT , extracts /? 7 from b SJ - and computes new value c SJ -*. Sj checks the satisfaction of c s j* 
with c SJ - and stores value /3j 

3.2 Login Phase 

Ui inserts SC into terminal and inputs the new ID and PW t *. SC calculates r t *= d t ® /i(/Dj*|| PW t *), MP t *= h(PW t * ), 
P t = h(rj*|| MPj*), di*= bi®h(Pi || MP**), q*= ft(aj*|| MP t *\\ ID t *) and checks satisfaction of c t * with c t . U t creates 
random value k t , calculates M 1 = fej©h(aj II MP t ), M 2 = h{ai || MPj || k t II T ± ) and sends message {M lf M 2 ,ID it T 1 } to the 
GW through public channel. 

3.3 Authentication Phase 

The GW checks timestamp |7\ — 7 C | < ||AT of received message from computes k t *= M 1 ©/i(aj || h(PWi)), M 2 *= 

h(ai || h(PWi) || k t * II T t ) and checks satisfaction with received values. GW calculates}/^ = h(cLi || || ID t || ID S j), 
M 3 = ai(Byij , M 4 = h(yij || Ms || ID t || T 2 ) and sends message {M 4 || M 3 || ID t || T 2 }. Ui verifies validity of timestamp 
\T 2 ~ T c | < 1 1 AT" , computes y i7 -*= aj©M 3 , M 4 *= h(yij || M 3 || ID t || T 2 ) and checks satisfaction with received values. GW 
calculates M 5 = /q©/i(/? 7 || ID sj ), M 6 = /? ; ©yi 7 , M 7 = h(y tj || k t || ID sj || T 3 ) and sends message {M 5 || M 6 || M 7 || ID sj || 
ID t || T 3 } to Sj, which checks validity of timestamp |T 3 — T c | < ||AT , computes /q*= M 5 ©/i(^ 7 || ID sj ), = ^ ; ©M 6 , 

M 7 *= h(y t j || k t * II ID s j || T 3 ) and compares value M 7 * with received one. Sj chooses random nonce kj and calculates 
M 8 = kjQyij, M 9 = h(kj || ID sj || T 4 ). Finally, Sj computes session key SK = h{k i @kj') and sends message {M 8 || M 9 || 
Wi\\Wsy\\T4} to l/i\ who verifies validity of received timestamp fT3— Tc/<HAT, calculates kj=M8@yij\ 
M 9 *= h(kj || ID s j || P 4 ), compares value M 9 * with received one and computes session key SK = h{k i ®kj') 

3.4 Password Changing Phase 

U t inserts SC into terminal and inputs ID t and PW° LD . SC verifies values and asks U t to choose new password. 

IV. Security Flaws in Akansha S. et al.’s Scheme 

To Some weaknesses of Akansha S. et al.’s protocol is detected and analyzed as below: 

1) In registration part between the GW and sensor node, GW creates secret value K gw _ S j and hides it inside of/? 7 . 
Afterwards, the GW conceals value fy inside of b S j,c S j and sends message [b S j,c S j,T s 3 } to sensor node, which 
extracts /? 7 from b s j computing /? ; - = b S j@h(JD S j || h{PW S j)). Due to sensor node doesn’t have information 
about K gw _ S j , which is hidden inside of value /? 7 , sensor node Sj is not able to determine the identity of GW. So, if an 
adversary captures GW, then he can creates his own forged secret value K gw _ S j and send to sensor node Sj. 

2) In the last step of registration part, user U t computes additional value d t = rj©/i(/D; || PW{) and puts values 
/i(. ), bi, c if d if ID t into smart card. SC already contains values d t and ID t . So, to extract value r t from SC, an attacker 
only needs to guess value PW t . Upon r t is found, an adversary can obtain other values. 

3) In authentication part, sensor node Sj calculates session key using generated random value kj. The GW and user U t 
don’t know value of kj or session key. If an adversary captures sensor node Sj and obtains stored value /? 7 , then he can 
extract values k t and y t j from received values sent by the GW. Afterwards, an adversary generates an arbitrary value 
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kj and computes session key. Upon user Ui received message from sensor node Sj , he cannot verify identity of kj or 
session key value. 

4) Generally, in this scheme only hash function, concatenation and XOR functions are employed. Maybe it is the right 
decision in term of less energy consumption and fast computational speed of sensor nodes. But, we must remember 
that the first requirement for authentication protocol is security. It is not enough secure to only use hash, 
concatenation or XOR functions against modern attacks. Because, there are some research works related to attacks on 
the concatenation and XOR hash combiners [14], [15] have been achieved, which points to their vulnerabilities. 

V. Refined Protocol Design 

The IEEE 802.15.4 determines parameters for low-range personal area networks, which was specially designed in terms of 
providing devices with low speed and low-cost communication. The encryption mechanism pointed in IEEE 802.15.4 
standard mainly designed for symmetric key encryption. There are two kinds of devices: a Reduced Func-tional Device 
(RFD) and a Full Functional Device (FFD). While an RFD acts as a low-power sensor, an FFD acts as a gateway. We model 
symmetric key based wireless sensor network, which contains some sensor nodes, gateway and user. A gateway authenticates 
user, computes session key and distributes it to user and sensor node. 

VI. Proposed Scheme 

We proposed a new ECC-based user authentication scheme for Wireless Sensor Networks, which resolves all the identi-fied 
weaknesses of Akansha S. et al.’s scheme and ensures high-level security. Our scheme reduces the sensor node’s expenses of 
elliptic curve random point scalar multiplications. We replaced them with low expenses and effective sym-metric-key based 
operations. In addition, to make our protocol more secure, we combined Elliptic Curve Digital Signa-ture Algorithm 
(ECDSA) with Message Authentication Code (MAC) for the entities authentication. 


Table 2 
Notations 


Symbol 

Definition 


ith User 

S J 

Jtk Sensor Node 

SC 

Smart card 

ID,; 

r'tjz User’s identity 

ID > 

jtk Sensor node’s identity 

PWi 

c'tiz User’s password 

PWj 

/tfz Sensor node’s password 

GW 

Gateway 

9 

a large prime 

P 

a large prime such that p = 2q -f 1 

P 

a base point of large order n choosed for 
an elliptic curve, which is known to all U \ 

Qi> 9i 

Public and private key pair of a U; 

Qv flv 

Public and private key pair of the powerful 
node V 


The signing algorithm based on ECDSA 
protocols under U( ’s private key g,; and the 
signed message m 

AMC(AU0 

The calculation of a MAC for a message m 
using MAC key k 

Ni,N k 

Nonces 

T 

Timestamp 

©, II, MO 

XOR, concatenation and a lightweight one 
way hash function 

sk 

Session key 
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6.1 Registration Phase 

The registration part contains two subparts. The first part is between user and gateway and the second part is between sensor 
node and the gateway. 

6.1.1 Registration between User and Gateway 

1) The user U t chooses his ID h PW h selects random integer b and computes pw = h(PW t © b) * P 

2) Ui creates the pairs of signing and verifying keys ( Q it q{) and sends message {pw, ID it Q t ] to the GW 

3) GW stores value sets the pair of private and public keys ( Q v , q v ) 

4) GW computes a = h(pw || ID t ) * P and sends message [a, q v } to U t 

5) When U t receives message stores values (a, q v , b, P ) in SC 

6.1.2 Registration between Gateway and Sensor Node 

1) Sj selects its IDj , h(PWj) and generates random number y 

2) Sj computes c = h(lDj || y), j = h{lDj || c || h{PWj) || 7\) and sends message { j , IDj, h{PWj), c, 7^} to the GW 

3) GW checks timestamp T x and compares received value j with new one. 

4) GW calculates d = h(c || IDj ) * P, g = d.x@h(IDj || h{PWj)') where x is the coordinator of d and calculates / = h{g || 

t 2 ) 

5) GW sends message {/, g, T 2 } to Sj 

6) Sj checks timestamp T 2 , compares received value d with new one and stores it. 


User | GW 

Sensor Node 

The Ui selects 

The Sj chooses his 

ID t and PW t 

IDj and h(PWj ) 

Selects a random 

Generates a random value y 

integer b 

c = h(lDj || y) 

pw — h(PWi 0 b) * P 

Generates the pairs 

j = h(lDj || c II h(PWj) || T,) 

of signing and 
verifying keys (Q;, <7i) 

< j, IDj, h(PWj),c, T, 

VW.IDj.Qi y 

\Ti~T c \ < l|AT 


j*= KIDj || c || h(PWj) || ro 

Generates the pair 

i*=P 

of keys ( Q v ,q v ) 

d = h(c || ID , ) * P 

a = h(pw || ID t ) * P 

g = d.x@h(IDj || h[PWj )) 

/ = Kg II T 2 ) 

^ ( 2 , C[ v 

f.g.Ti 

Strores in SC (a, q v , b ) 

\t 2 -t c \<\\at 


d *= gmiJDj || h(PWj)) 


d*= d ? 
Stores d 


Figure 1 Registration phase 


6.2 Login and Authentication Phase 

After user passed registration phase, he can connect to sensor node via the gateway node. 

6.2.1 Login phase 

1) U t inserts SC into terminal, inputs ID t and PW t 

2) Computes new values a *= h(]pw || IDi) * P and compares with value taken from SC a*= a? 

3) U t selects random nonce k and N t , where k is a MAC key 
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4) Ui computes secret value R = a* q v and cipher text w = (k 1 1 N t ) © R . x 

5) Generates an ECDSA signature 5 = Sig u (a || w) and sends message { s , a, w] to the GW 

6.2.2 Authentication phase 

1) When the GW receives message from U t restores secret value R = h(pw || ID t ) * Q v 

2) Extracts k from value w 

3) Generates random value N k 

4) Computes session key sk = h(N k || k ) and cipher text e = sk © R . x 

5) GW first sends message { e , MAC(e, k)} to which upon receiving, verifies MAC and calculates session key sk = e © 

R .x 

6) GW computes Z = R. x © d.x and forwards message [pw, e, Z, w] to Sj 

7) Sj extracts R from Z = R. x © d.x and computes session key sk = e © R . x 

8) Sj extracts k from w and sends message E (pw. x || N it sk), MAC(E (pw. x || N if sk), k) to U t 

9) Ui verifies MAC, decrypts cipher text and checks satisfaction of received session key value with his own one sk*= sk ? 


| Gatewa^ 


| Sensor node 


User 


a*= h(pw II ID{) * P 
a*= a? 

Selects random nonces k and iVj 
R = a* q v 

w = (k II N{) © R .x 
s = Sig u (a || w) 

s, a,w 


e, MAC(e.k) 


Verifies MAC 
sk = e © R . x 


Verifies MAC 
Decrypts cipher text 
Checks s/c*= ski 


R = h(pw II /Dj) * Q v 
Extracts k from value w 
Generates random value N k 
sk = h(N k || k) 
e = sk 0 R . x 


Z = R.x © d.x 


R=Z® d 


pw,Z,e,w ^ 


^ Ejyw.x II Nj.sk). MAC (E(pWiX II Nj.sk).k ) 


sk = e 0 R . x 
Extracts k from value w 


Figure 2 Login and Authentication phase 


VII. Security Analysis 

This section provides a security analysis of our work and proves the proposed scheme has resistance to the several attacks 
and is able to provide a secure authentication. 

7.1 Sensor Node Replication Attack 

This type of attack, where an attacker generates his own low-cost sensor node called forge node and misinforms the network 
to affirm them as a legitimate one. To perform this attack, an attacker needs to physically capture one of the nodes and collect 
all secret values (ID, cryptographic keys and etc.). After that, an attacker duplicates the sensor node and creates one or more 
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copies of the node into the current network. In terms of avoiding replayed message attack in our protocol, we used a fresh 
nonce n, which sent by user U t . If an attacker plans to replay the previously transferred message from user U t , then he has to 
use the previously sent n nonce value. Thus, an adversary is not able to reply message, because the GW knows the last nonce 
value, which was created by user U t . 

7.2 Sybil Attack 

Generating different accounts from various IP addresses an adversary pretends himself as multiple forge identities. In terms 
of resistance against such attack we used ECDSA to create and verify the signature of each user U t . The attacker cannot 
pretend as user U t and pass GW without the private key q t . Even in worst case, the attacker expose user U t but still is unable 
to claim a new identity of user U t in the neighborhood of user Uj because the attacker only knows the private key of the 
exposed user U t but not the private key of user Uj. In fine, due to using ECDSA on the gateway to authenticate the identity of 
user, the proposed protocol provides withstand the Sybil attack. 

7.3 Insider Attack 

An insider attack usually appears when the GW or system administrator can have access to a user’s credentials and can 
impersonate user. In our scheme, for the insider of GW node is not possible to get user s password, because the GW only 
have a value pw, which contains a value b and PW t . The value b is high entropy value, which is not revealed to the GW. 
Thus, it is not possible to guess both values of pw. 

7.4 Man-in-the-Middle-Attack 

An adversary catches the messages being exchanged between the entities and sends forge messages impersonating one of 
them. Regarding our scheme, the message exchanging between user U t and GW, performed using signature and MAC key, 
which allow only to the legal entities authenticate each other. 

7.5 Mutual Authentication 

Mutual authentication is the main security property for the authentication protocol. In our case, the proposed scheme 
provides mutual authentication among 2 entities: user and gateway. The signature of the message sent from user U t to GW 
provides an authentication of user U t . Also, a Message Authentication Code will provide evidence of integrity for the 
message. Because, the MAC key k was generated and encrypted by user U t . Thus, only GW with private key q v can recover 
value k. When GW sends back message, it will use the same MAC key k. 

VIII. Conclusion 

In this paper, Akansha S. et al.’s protocol has been reviewed and analysed. Based on the cryptanalysis of their scheme, have 
been found some drawbacks. In registration part, the gateway generates new secret value, which is not known to sensor node. 
Hence, sensor node is unable to check identity of received secret value. Also, there is possibility of smart card breach attack, 
because the adversary only needs to guess user’s password to obtain values from the smart card. In authentication part, sensor 
node computes session key value and sends to user. It leads to the sensor impersonation attack since user doesn’t know value 
of session key and cannot authenticate sensor node. The general vulnerability of Akansha S. et al.’s scheme is that they only 
used a hash function, XOR and concatenation. As mentioned above, these operations cannot provide enough security. 
Comparing to the Akansha S. et al.’s scheme, we have designed a protocol based on the IEEE 802.15.4 standard of network 
model using ECC. In our scheme, the signature algorithm ECDSA and the Message Authentication Code (MAC) have been 
implemented, which provides a mutual authentication. Also, in registration part, the scheme provides secure key agreement 
resistant to the smart card breach attack. 
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